I am the CUPS-PDF developer. Though I am not using Debian I am quite confused by this behaviour: CUPS-PDF is supposed to be mode 700 on CUPS >v1.2.x environments (so unprivileged users should not even be able to execute it). Furthermore CUPS-PDF is explicitely not meant to be installed SUID 'root' (neither is ghostscript) - so how can those two programs access /etc/shadow at all? Please check the permissions of the CUPS-PDF backend and GS - neither should be SUID 'root' under any circumstances. CUPS-PDF should even more be mode 700 executable by 'root' only. If this is not the case in the default installation it has to be fixed in the Debian package.
On Fri, 2007-02-02 at 11:31 +0100, Grzegorz Żur wrote: > Package: cups-pdf > Version: 2.4.2-1 > Severity: critical > Justification: root security hole > Tags: security > > Unprivileged user can execute /usr/lib/cups/backend/cups-pdf to read > parts of any file. End of file is printed by Ghostscript in error report. > > Execution of this command as unprivileged user > /usr/lib/cups/backend/cups-pdf shadow user title 1 '' /etc/shadow > will result in Ghostscript error showing last line of /etc/shadow file > (possibly containing password hash) > ERROR: /undefined in saned:!:13511:0:99999:7::: > ... > > -- System Information: > Debian Release: 4.0 > APT prefers unstable > APT policy: (990, 'unstable'), (500, 'testing'), (500, 'stable'), (1, > 'experimental') > Architecture: i386 (i686) > Shell: /bin/sh linked to /bin/bash > Kernel: Linux 2.6.18-albemuth > Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) > > Versions of packages cups-pdf depends on: > ii cupsys 1.2.7-3 Common UNIX Printing > System(tm) - > ii gs-esp 8.15.3.dfsg.1-1 The Ghostscript PostScript > interpr > ii libc6 2.3.6.ds1-10 GNU C Library: Shared libraries > > cups-pdf recommends no packages. > > -- no debconf information > -- Volker Christian Behr Experimentelle Physik V (Biophysik), Physikalisches Institut Universitaet Wuerzburg, Am Hubland, 97074 Wuerzburg, Germany Office: Room F-069a +49-931-888-5766 (phone) +49-931-888-5851 (fax)
